The audit also found that OLCC has not implemented an appropriate agency-wide IT security management program.

In 2014, voters approved Measure 91, which legalized the production, sale, and use of recreational marijuana in Oregon. State law requires applicants for recreational marijuana business licenses and renewals to submit their application to OLCC. The law also requires the agency to implement a system to track recreational marijuana from seed to sale. In response, OLCC contracted with external vendors to develop, host, and support the Marijuana Licensing System and Cannabis Tracking System (CTS). We found that these systems are functioning properly to facilitate licensing of marijuana businesses and to track marijuana products within the state.

OLCC requires Marijuana businesses to track a number of items in the CTS, including daily sales activity, inventory transfers, lab test results, inventory adjustments, and marijuana waste. OLCC has developed initial processes to use this data to identify potential instances of noncompliance in the marijuana industry.

However, auditors determined that immature regulatory processes and poor data quality increase the risk that compliance violations in the recreational marijuana program will go undetected. Specifically, auditors found the following issues increased the risk that OLCC may not detect potential violations or illegal activity:

Reliance on self-reported data from marijuana businesses;

Inconsistent weight measurement systems;

Allowing untracked marijuana inventory in the first 90 days of licensure;

Poor or insufficient data quality in the Cannabis Tracking System; and

An insufficient number of trained inspectors needed for on-site investigations.

Additionally, auditors concluded that better practices are needed to manage marijuana applications and application vendors. They identified the following specific weaknesses:

OLCC lacks processes to monitor some third-party service providers;

OLCC does not have a process for reconciling data transmitted by the licensing system to the tracking system;

Test data exists in the Marijuana Licensing System production environment, increasing the risk that program decisions may be based on unreliable data; and

User account management processes are lacking, which increases the risk of inappropriate access to marijuana systems.

Although the marijuana licensing and tracking systems are hosted and supported by external vendors, OLCC’s information technology (IT) division is responsible for the agency’s network security, web application design and development, database administration, and software development.

Auditors determined OLCC lacks an appropriate IT security management program based on the following identified weaknesses:

OLCC lacks an up-to-date security plan;

IT assets are not sufficiently tracked;

OLCC has not set server or network device baselines and does not have a process to monitor for unauthorized changes or devices;

Management has not developed processes to identify IT security vulnerabilities;

Antivirus solutions are not effectively managed;

Servers and workstations are running on unsupported operating systems;